SSH PAM_LINOTP problem
214 views
Skip to first unread message
bestusern...@gmail.com
Aug 8, 2017, 8:45:39 AM8/8/17
to LinOTP
Hi everyone,
I have trouble configuring pam_linotp on a recent Debian system. SSHD Version 6.7.
I followed these tutorials (using packet manager for installation):
I'm trying to setup two factor auth using both publickey and linotp.
In my sshd_config i added the following lines:
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive:pam_linotp
UsePAM yes
in my /etc/pam.d/sshd i added the following line:
@include common-linotp
in my /etc/pam.d/common-linotp looks like this:
auth [success=1 default=ignore] pam_linotp.so nosslcertverify nosslhostnameverify debug url=https://192.168.x.x/validate/simplecheck
auth requisite pam_deny.so #commenting out this line didn't help
auth required pam_permit.so #commenting out this line didn't help
Logging in via ssh results in the following behaviour:
login as: *****
Authenticating with public key "rsa-key-123456789" from agent
Further authentication required
Putty says: "Error: No supported authentication methods available. Connection closed."
SSH says: "Authenticated with partial success. Permission denied (keyboard-interactive)."
auth.log:
Aug 8 14:27:15 <hostname> sshd[5074]: error: Received disconnect from <ip>: 14: No supported authentication methods available [preauth]
If i substitute pam_linotp with pam_unix it can Two-factor auth just fine. It must be a problem with my pam_linotp configuration.
bestusern...@gmail.com
Aug 8, 2017, 9:50:19 AM8/8/17
to LinOTP
Some further information on the topic...
no lines generated in linotp.log on LinOTP Server
auth.log with loglevel DEBUG3; starting after Matching key (First Factor)
Aug 8 15:39:52 myhost sshd[5945]: debug1: matching key found: file /root/.ssh/authorized_keys, line 5 RSA *******************************Aug 8 15:39:52 myhost sshd[5945]: debug1: restore_uid: 0/0Aug 8 15:39:52 myhost sshd[5945]: debug3: mm_answer_keyallowed: key 0x*********** is allowedAug 8 15:39:52 myhost sshd[5945]: debug3: mm_request_send entering: type 23Aug 8 15:39:52 myhost sshd[5945]: debug3: mm_key_verify entering [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug3: mm_request_send entering: type 24 [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug3: mm_request_receive_expect entering: type 25 [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug3: mm_request_receive entering [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug3: mm_request_receive enteringAug 8 15:39:52 myhost sshd[5945]: debug3: monitor_read: checking request 24Aug 8 15:39:52 myhost sshd[5945]: debug3: mm_answer_keyverify: key 0x********** signature verifiedAug 8 15:39:52 myhost sshd[5945]: debug3: mm_request_send entering: type 25Aug 8 15:39:52 myhost sshd[5945]: debug3: auth2_update_methods_lists: updating methods list after "publickey"Aug 8 15:39:52 myhost sshd[5945]: debug3: authentication methods list 0 remaining: "keyboard-interactive:pam_linotp"Aug 8 15:39:52 myhost sshd[5945]: debug3: monitor_child_preauth: method publickey: partialAug 8 15:39:52 myhost sshd[5945]: Partial publickey for root from 192.168.x.x port 54511 ssh2: RSA *******************************************Aug 8 15:39:52 myhost sshd[5945]: debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug3: auth2_update_methods_lists: updating methods list after "publickey" [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug3: authentication methods list 0 remaining: "keyboard-interactive:pam_linotp" [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug3: userauth_finish: failure partial=1 next methods="keyboard-interactive" [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug1: userauth-request for user root service ssh-connection method keyboard-interactive [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug1: attempt 3 failures 1 [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug2: input_userauth_request: try method keyboard-interactive [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug1: keyboard-interactive devs [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug1: auth2_challenge: user=root devs= [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug1: kbdint_alloc: devices 'pam' [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug2: auth2_challenge_start: devices pam [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug2: kbdint_next_device: devices <empty> [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug3: userauth_finish: failure partial=0 next methods="keyboard-interactive" [preauth]Aug 8 15:39:52 myhost sshd[5945]: Connection closed by 192.168.x.x [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug1: do_cleanup [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug3: PAM: sshpam_thread_cleanup entering [preauth]Aug 8 15:39:52 myhost sshd[5945]: debug1: monitor_read_log: child log fd closedAug 8 15:39:52 myhost sshd[5945]: debug3: mm_request_receive enteringAug 8 15:39:52 myhost sshd[5945]: debug1: do_cleanupAug 8 15:39:52 myhost sshd[5945]: debug1: PAM: cleanupAug 8 15:39:52 myhost sshd[5945]: debug3: PAM: sshpam_thread_cleanup enteringAug 8 15:39:52 myhost sshd[5945]: debug1: Killing privsep child 5946
pcz1...@googlemail.com
Aug 24, 2017, 8:24:04 AM8/24/17
to LinOTP
If the configuration is implemented after http://linotp.org/howtos/howto-ssh.html is additionally to set the parameter 'AuthenticationMethods' in the sshd_config to implement several methods of authentication:
Example - publickey or keyboard interactive authentication only via PAM
"AuthenticationMethods publickey keyboard-interactive:pam"
Other combinations are possible.
If a user has a publickey, he passes authentication for them.
Other users need an OTP and their password, both are checked by pam.
Example - publickey and keyboard interactive authentication
"AuthenticationMethods publickey,keyboard-interactive:pam"
The comma says both must be successful for a login.
Best regards
Peter
Reply all
Reply to author
Forward
0 new messages